Mimikatz: How to Extract Plain Text Passwords from Windows Memory

In this article, written as a part of a series devoted to Windows systems security (in the last article we discussed the security issues of passwords stored in the GPP), we will learn quite a simple method for extracting unencrypted (plaintext) passwords of all the users working in a Windows using the Open Source utility Mimikatz.

Disclaimer. The information and technologies described in this article should be used for informational purposes only and not to get access to the accounts, data and systems of the third parties.

Storing passwords and hashes in Windows memory

Most system administrators are sure that Windows does not store user passwords in plain text in its memory, but only in the form of a hash. Though today there are a lot of tools able to extract password hashes from the system, it is safe to say that using a quite complex password, not from a dictionary, makes it almost impossible for an attacker to get it by a brute force or with a base of already calculated hashes.

In fact, it is true, but there are various nuances related to the users logged into a specific Windows system. The matter is that some system processes still use unencrypted (or encrypted) passwords, not their hashes, in some service purposes.

For instance, HTTP Digest Authentication used to support SSO (Single Sign On) needs the user password along with its hash. Encrypted user passwords (passwords, instead of hashes) are stored in the OS memory, and, to be more specific, in LSASS.EXE process memory. The problem is that password encryption is implemented using the standard Win32 functions LsaProtectMemory and LsaUnprotectMemory, which are used to encrypt/decrypt a certain area of memory. A tool of French developers mimikatz allows you to obtain the encrypted data from the memory, decrypt them using LsaUnprotectMemory function and display all accounts of users authorized in the system and their passwords (decrypted, in plain text!).

Mimikatz allows you to extract user passwords directly from the memory, from the memory dump of the PC or from the hibernation file.

Note. In June 2017, many large companies in many countries were infected with a malware NotPetya, which used the integrated mimikatz module to collect passwords of users and domain administrators.

Using Mimikatz to Extract User Passwords from lsass.exe Online

Download and run Mimikatz.exe with administrator privileges (there are x86 and x64 versions of the utility for the corresponding systems);

Run the following commands in the console:

1
2

mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords full

mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords full

The last command displays the account names and their passwords for all active users in the system.

As you can see, the utility shows us the super strong user’s password in the clear text!

The command was successful because the Debug Mode is enabled on this computer, which allows you to set the SeDebugPrivilege flag for the desired process. In this mode, programs can receive low-level access to the memory of processes running on behalf of the system.

Imagine that this is a terminal (RDS) server on which many users work simultaneously, and on which there is the enterprise administrator’s session. Those if you have administrator rights on a single server, you can even grab the domain administrator’s password.

Note. This technique won’t work if there is a modern antivirus blocking the injection. In this case you will have to create a memory dump and extract the passwords for all user sessions on another PC.

How to Get a User Password from Windows Memory Dump

The memory dump of the LSASS process can be obtained with Out-Minidump.ps1 function in PowerShell. Import Out-Minidump function into PoSh and create a memory dump of LSASS process:

Get-Process lsass | Out-Minidump

The memory dump, in our example it is lsass_562.dmp (by default, it is saved in %windir%\system32 directory), has to be copied to another system with mimikatz and the following command should be run:

1

Mimikatz “sekurlsa::minidump lsass_592.dmp”

Mimikatz “sekurlsa::minidump lsass_592.dmp”

The next command will allow you to extract the list of users working in the system and their plaintext passwords from the saved memory dump:

1

mimikatz # sekurlsa::logonPasswords

mimikatz # sekurlsa::logonPasswords

As you can see, it’s easy.

In this way, you can get a memory dump from a remote computer using psexec or via WinRM (if you have administrative privileges) and extract the user’s password from it.

How to Get Passwords from Virtual Machine and Hibernation Files

To do it, you need the Debugging Tool for Windows (WinDbg) package, mimikatz itself and a utility to convert .vmem into a memory dump file (in Hyper-V, it can be vm2dmp.exe or MoonSols Windows Memory toolkit for VMWare vmem-files).

For example, to convert a vmem page file of a VMWare virtual machine into a dump, run this command:

1

bin2dmp.exe "wsrv2008r2-1.vmem" vmware.dmp

bin2dmp.exe "wsrv2008r2-1.vmem" vmware.dmp

Import the dump into WinDbg (File -> Open Crash Dump), load the mimikatz library under the name mimilib.dll (choose the version according to the bitness of the system):

1

.load mimilib.dll

.load mimilib.dll

Find lsass.exe process in the dump:

1

!process 00 lsass.exe

!process 0 0 lsass.exe

And finally, type:

1
2

.process /r /p fffffa800e0b3b30
!mimikatz

.process /r /p fffffa800e0b3b30
!mimikatz

And get a list of Windows users and their passwords as plain text:

It is possible to get unencrypted passwords of Windows users with Mimikatz in the following systems, including those run in different versions of Hyper-V 2008/2012 and VMWare hypervisors:

Windows Server 2008 / 2008 R2;

Windows Server 2012 / 2012 R2;

Windows 7;

Windows 8.

Note. By the way, the mimikatz features have been already implemented into Metasploit Framework.

Using Mimikatz in Pass-the-Hash Attacks

If you can’t get the user’s password, but only its hash, Mimikatz can be used for the so-called pass-the-hash attack (reuse of the hash). In this case, the hash can be used to start processes on behalf of the user. For example, after receiving the NTLM hash of the user, the following command will run the command prompt on behalf of the privileged account:

How to Protect Windows from Extracting Passwords from Memory Using Mimikatz?

In Windows 8.1 and Server 2012 R2 (and newer), the ability to extract passwords from LSASS is limited. The LM hashes and passwords are not stored in memory in these systems by default.

The same functionality is backported to earlier versions of Windows (7/8/2008R2/2012), in which you need to install a special update KB2871997 (the update provides other options to enhance the security of the system) and in the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest set the DWORD parameter UseLogonCredential to 0 (WDigest is disabled). If you try to extract passwords from memory after installing this update and the UseLogonCredential key, you will see that mimikats using the creds_wdigest command cannot extract passwords and hashes.

However, if you have administrator privileges, you can easily change this registry parameter:

In the mimikatz, there are other options for retrieving passwords and their hashes from memory (WDigest, LM-hash, NTLM-hash, the module for capturing Kerberos tickets), therefore it is recommended to implement the following measures for protection:

When testing mimkatz on Windows 10 Pro x64 with default settings, the mimkatz 2.0 utility was able to get the hash of the active user (but not the password in the clear form).

On older systems, as a temporary solution you can restrict Debug Privilege policy (this is also can be easily bypassed) and disable wdigest security provider in the registry. To do it, find Security Packages key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and delete the line wdigest from the list of packages.

However, it should b eclean that the hacker which is having the corresponding rights for the registry can easily change the settings back.

Conclusions. Let’s remember the security essentials again:

Don’t use the same passwords for different services (especially, terminal ones, belonging to the third parties);

Think about the security of your passwords and data stored on the virtual machines in the clouds, because you can’t be sure who else has access to the hypervisors and storage on which the virtual machine files are located;